Login through RADIUS is not working due to invalid shell#13141
Login through RADIUS is not working due to invalid shell#13141saravanan-i wants to merge 2 commits intosonic-net:masterfrom
Conversation
Root-Cause: RADIUS presumes that sonic launch shell (/usr/bin/sonic-launch-shell) is available by default to be authenticated users, which is not the case. This leads to failure in RADIUS authentication. What I did: Added valid bash shell (/bin/bash) in RADIUS nss code
saravanan-i
changed the title
saravanan-i
changed the title
saravanan-i
changed the title
|
Looks good to me. However, in the triage meeting where we first discussed this issue, we asked BRCM to check the reason it was first built with that shell. @zhangyanzhao did BRCM check that? can we conclude that the shell really is wrong and we can change it? if so, this PR should fix the issue. |
There was a problem hiding this comment.
Looks good to me. @lguohan / @zhangyanzhao - Please review.
|
@lguohan @qiluo-msft would you please help to approve this fix? it is needed for 202211 |
|
@qiluo-msft would you please help to review and approve? |
@saravanan-i would you please clarify? |
This PR has corrected the invalid soft link ("sonic-launch-shell") to valid RADIUS login launch shell("/bin/bash"). Other authentication protocols like TACACS use this shell ("/bin/bash") in SoNIC. Link to TACACS code which use the shell ("/bin/bash") TACACS_Link_shell |
|
@adyeung can you please help to review this PR? Thanks. |
| @@ -159,11 +159,11 @@ static void init_rnm(RADIUS_NSS_CONF_B * conf) { | |||
| rnm[0].gid = 999; | |||
| rnm[0].groups = "docker"; | |||
There was a problem hiding this comment.
To reduce the attack surface, maybe change the default group given here.
MPL = 0 user does not require docker, but maybe it does require the redis group or adm group.
There was a problem hiding this comment.
Hi @Yarden-Z . They were defined as per the existing RADIUS design document of SoNIC ( RADIUS_Design ). I haven't introduced them as part of this pull request. Can you please confirm if you have to change the same ?
There was a problem hiding this comment.
I understand that these values were introduced in the HLD design.
But given this item - I think we can re-visit this.
From my perspective, a non-privileged user requires redis (potentially) and the default adm group.
If I understood your question
| @@ -159,11 +159,11 @@ static void init_rnm(RADIUS_NSS_CONF_B * conf) { | |||
| rnm[0].gid = 999; | |||
| rnm[0].groups = "docker"; | |||
There was a problem hiding this comment.
The readonly user should be in users group, and no docker group membership. #WontFix
There was a problem hiding this comment.
Hi @qiluo-msft. User groups were defined based on existing RADIUS design document of SoNiC RADIUS_Design. I haven't introduced them as part of this pull request. Can you please confirm if we have to modify the same ?
There was a problem hiding this comment.
@saravanan-i I think we should remove this docker group because the sudoer file already allows for the read-only docker commands. Adding docker group allows this user to potentially do non-read_only things. I can push that change if you want to give me access to this branch so we can keep all the history of this PR without having to make a new one.
Summary: This is the HLD for the RADIUS test that is currently running as part of this PR: #16475 Also, note that before these tests pass in the pipeline, this PR needs to be merged into sonic-buildimage sonic-net/sonic-buildimage#13141.
Summary: This is the HLD for the RADIUS test that is currently running as part of this PR: sonic-net#16475 Also, note that before these tests pass in the pipeline, this PR needs to be merged into sonic-buildimage sonic-net/sonic-buildimage#13141.
Why I did it This is a follow up to #13141, to include removing the docker group add for the RO user for RADIUS. The sudoer file already allows docker ps command
Summary: This is the HLD for the RADIUS test that is currently running as part of this PR: sonic-net#16475 Also, note that before these tests pass in the pipeline, this PR needs to be merged into sonic-buildimage sonic-net/sonic-buildimage#13141. Signed-off-by: opcoder0 <[email protected]>
Summary: This is the HLD for the RADIUS test that is currently running as part of this PR: sonic-net#16475 Also, note that before these tests pass in the pipeline, this PR needs to be merged into sonic-buildimage sonic-net/sonic-buildimage#13141. Signed-off-by: Aharon Malkin <[email protected]>
Summary: This is the HLD for the RADIUS test that is currently running as part of this PR: sonic-net#16475 Also, note that before these tests pass in the pipeline, this PR needs to be merged into sonic-buildimage sonic-net/sonic-buildimage#13141. Signed-off-by: Guy Shemesh <[email protected]>
Summary: This is the HLD for the RADIUS test that is currently running as part of this PR: sonic-net#16475 Also, note that before these tests pass in the pipeline, this PR needs to be merged into sonic-buildimage sonic-net/sonic-buildimage#13141. Signed-off-by: Guy Shemesh <[email protected]>
10 participants
Why I did it
RADIUS presumes that sonic launch shell (/usr/bin/sonic-launch-shell) is available by default to be authenticated users, which is not the case. This leads to failure in RADIUS authentication.
How I did it
Added valid bash shell (/bin/bash) in RADIUS nss code
How to verify it
Verification of remote RADIUS user with valid credentials is authenticated without any failure - PASS
Which release branch to backport (provide reason below if selected)
Description for the changelog
Fixed RADIUS user authentication issue due to invalid shell (sonic-launch-shell)
Resolves
This pull request resolves PR#11352 (#11352) under sonic-buildimage repository.